ChoicePoint Is Fined for Data Breach

Joseph MennTimes Staff Writer

The Federal Trade Commission on Thursday hit data broker ChoicePoint Inc. with the largest civil penalty in the agency's history for allowing sensitive consumer information to get into the hands of con artists last year.

The commission levied a $10-million penalty on top of $5 million in restitution -- a total that amounts to more than 10% of the company's 2005 profit. The agency declared that the company falsely assured the public about security precautions while handling personal data carelessly.

In one case, the commission said, the firm sold information to a purported business customer whose own ChoicePoint file suggested a link to possible fraud.

ChoicePoint, of Alpharetta, Ga., maintains more than 19 billion records -- including Social Security numbers and financial histories -- for sale to merchants, banks and government agencies that need to identify or gauge the creditworthiness of consumers.

Commission officials said the company missed many red flags in applications from some customers. Some con artists applied successfully for multiple accounts from the same publicly available fax machine, for example, or submitted revoked business licenses. In at least one case an applicant got access to ChoicePoint data without even supplying a surname, according to the commission.

The company also failed to inquire after would-be customers applied with suspended articles of incorporation, mismatched addresses and contact numbers belonging to residential or cellular phones, the commission said.

ChoicePoint didn't admit to the commission's assertions or to any wrongdoing in the settlement. It did agree to revamp its procedures, including instituting mandatory visits to many customers. It also must submit to security audits every two years through 2026.

In legal papers filed with the settlement, the commission said ChoicePoint improperly exposed records of 163,000 consumers. About 800 people became victims of identity theft as a result; they and future victims of the data breach will share in the $5-million restitution fund.

The FTC cited ChoicePoint for violating the Fair Credit Reporting Act, which requires buyers of credit reports to have a proper purpose, and for violating basic fair-practices laws. It said ChoicePoint was deceptive when it made such statements as "Every ChoicePoint customer must successfully complete a rigorous credentialing process."

The ChoicePoint breach launched a national debate about data security that prompted new laws in more than a dozen states and 18 pieces of proposed federal legislation.

About 125 major data breaches have been disclosed since February, when ChoicePoint notified the first potential victims.

In announcing Thursday's settlement, FTC Chairwoman Deborah Platt Majoras said the commission wanted it to serve as a warning to other businesses that consumer information must be protected.

Data security "must be a priority for financial and corporate America," she said.

The FTC is continuing to investigate practices at other data brokers and at businesses that have lost information on customers, said Lydia Parnes, director of the commission's bureau of consumer protection. "It is one of our top priorities."

Thursday's action generally won praise from consumer groups. The FTC penalty "is a lot of money," even for a big company like ChoicePoint, said Chris Hoofnagle, West Coast director of the nonprofit Electronic Privacy Information Center. "It shows that the FTC is getting serious about security."

ChoicePoint still faces private lawsuits over the data breach. The Securities and Exchange Commission also is investigating whether Chairman Derek Smith and President Doug Curling improperly sold company shares before the breach became public.

The company learned of the data breach in 2004 from investigators with the Los Angeles Sheriff's Department, who arrested Olatunji Oluwatosin of North Hollywood on suspicion of fraud and other charges. Oluwatosin, a Nigerian national, pleaded guilty and is facing at least seven years in prison.

Beginning in January 2002, Oluwatosin used fake businesses with mail drops in Beverly Hills, Hollywood and elsewhere to set up ChoicePoint accounts and access personal information on more than 1,500 people, according to the L.A. County district attorney's office. Search warrants served on ChoicePoint turned up a much wider fraud problem.

By itself, the financial payout will do modest harm to ChoicePoint. Even after a charge for the penalty, the company reported fourth-quarter earnings of $28 million on Thursday on revenue of $258 million.

ChoicePoint shares dropped $3.35, or 7%, to $42.95 after the settlement was announced. In a conference call with investors, ChoicePoint President Curling said the company was pleased with the settlement.

Analyst Bruce Simpson of William Blair & Co. said the stock drop was primarily because profit was lower than expected. The company gave up $20 million in annual revenue by cutting services to small customers in an effort to screen out fraudulent applicants, he said. But sales still increased 6% last year before acquisitions.